Hello,

     I have attached patches which provides many enhancements to the MLS support within SELinux - highlights are listed below. The patches a are against the latest sourceforge CVS tree. The kern-0117.patch applies to the nsa/linux-2.6 tree and the usr-0117.patch applies to the nsa/selinux-usr tree. We have been using this code for a while and have had several set of eyes go over it - we are now presenting this for inclusion into the mainline SELinux tree. We appreciate all feedback and will attempt to answer all questions.

Thanks.

Darrel

Replaced the existing MLS logic with a flexible system based on the current constraints language. The constraints were extended to include operations for levels. This allows for configurable overrides of MLS policy rather than using the previous hardcoded attributes. It also allows for a more flexible MLS policy: you can choose a strict BLP model or a modified BLP model which does not allow write-up, you can limit a class to be "single level", etc... The
"constrain" and "validatetrans" (see next item) statements are mirrored by the
"mlsconstrain" and "mlsvalidatetrans" statements. They use the same code for
everything, they just live in different files (constraints vs. mls).

Added validatetrans statements to the policy which are used along with constraints. The syntax for these statements is the same the syntax for constraints with three additional expressions available: "u3 op names",
"r3 op names", and "t3 op names". For these rules, the *1 tokens refer to the
"old context", the *2 tokens refer to the "new context", and the *3 tokens
refer to the "process context". These rules are currently only processed for the file classes (file, dir, lnk_file, ...) by calling the new security_validate_transition function in the selinux_inode_setxattr hook. These rules allow checking process attributes (*3) along with the current object context (*1) and the proposed object context (*2). With these rules, one can require different things of the process based on the relationship of the objects old and new contexts. This allows MLS upgrade and downgrade checks when relabeling an object.

The MLS levels of a subject are used as a sensitivity level (low) and a clearance (high). The user MLS properties have accordingly been modified from a list of ranges to a default level and an allowable range. The high of the allowable range acts as the process clearance, and the default levels

The compile time options for MLS support have been replaced with runtime options/detection. This will allow a vendor to ship one set of tools and one kernel to support both MLS and non-MLS enabled policies. The kernel will automatically determine the MLS status of a policy when it is read. MLS specific checks will be short-circuited if a non-MLS policy is being used. Checkpolicy now uses the "-M" option to work with MLS policies. Libsepol will will automatically determine the status of MLS support when a policy is read (like the kernel). There is also a interface to set the MLS status - this is used when checkpolicy is writing the policy.

The binary policy version was incremented to accommodate these changes. The userspace tools and the kernel will still work with older non-MLS binary polices. Checkpolicy (and libsepol) can still work with and create older non-MLS binary policies and the kernel can still use older non-MLS binary policies. Previous versions of binary policies with MLS support can not be used or created with the new tools/kernel.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



application/x-gzip attachment: kern-0117.patch.gz